====================================================== WARNING: possible circular locking dependency detected 4.14.302-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.4/9516 is trying to acquire lock: (&ovl_i_mutex_dir_key[depth]#3){++++}, at: [] inode_lock_shared include/linux/fs.h:729 [inline] (&ovl_i_mutex_dir_key[depth]#3){++++}, at: [] lookup_slow+0x129/0x400 fs/namei.c:1674 but task is already holding lock: (&oi->lock){+.+.}, at: [] ovl_nlink_start+0x22f/0x460 fs/overlayfs/util.c:523 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&oi->lock){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 ovl_copy_up_start+0x40/0xe0 fs/overlayfs/util.c:318 ovl_copy_up_one+0x21f/0x910 fs/overlayfs/copy_up.c:631 ovl_copy_up_flags+0xd5/0x120 fs/overlayfs/copy_up.c:686 ovl_rename+0x164/0xe50 fs/overlayfs/dir.c:939 vfs_rename+0x560/0x1820 fs/namei.c:4498 SYSC_renameat2 fs/namei.c:4646 [inline] SyS_renameat2+0x95b/0xad0 fs/namei.c:4535 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 -> #1 (sb_writers#3){.+.+}: percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] __sb_start_write+0x64/0x260 fs/super.c:1342 sb_start_write include/linux/fs.h:1551 [inline] mnt_want_write+0x3a/0xb0 fs/namespace.c:386 ovl_do_remove+0x67/0xb90 fs/overlayfs/dir.c:759 vfs_rmdir.part.0+0x144/0x390 fs/namei.c:3910 vfs_rmdir fs/namei.c:3895 [inline] do_rmdir+0x334/0x3c0 fs/namei.c:3970 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 -> #0 (&ovl_i_mutex_dir_key[depth]#3){++++}: lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 down_read+0x36/0x80 kernel/locking/rwsem.c:24 inode_lock_shared include/linux/fs.h:729 [inline] lookup_slow+0x129/0x400 fs/namei.c:1674 lookup_one_len_unlocked+0x3a0/0x410 fs/namei.c:2595 ovl_lower_positive+0x184/0x350 fs/overlayfs/namei.c:783 ovl_do_remove+0x12a/0xb90 fs/overlayfs/dir.c:772 vfs_unlink+0x230/0x470 fs/namei.c:4029 do_unlinkat+0x30c/0x5c0 fs/namei.c:4094 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 other info that might help us debug this: Chain exists of: &ovl_i_mutex_dir_key[depth]#3 --> sb_writers#3 --> &oi->lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&oi->lock); lock(sb_writers#3); lock(&oi->lock); lock(&ovl_i_mutex_dir_key[depth]#3); *** DEADLOCK *** 5 locks held by syz-executor.4/9516: #0: (sb_writers#14){.+.+}, at: [] sb_start_write include/linux/fs.h:1551 [inline] #0: (sb_writers#14){.+.+}, at: [] mnt_want_write+0x3a/0xb0 fs/namespace.c:386 #1: (&ovl_i_mutex_dir_key[depth]/1){+.+.}, at: [] inode_lock_nested include/linux/fs.h:754 [inline] #1: (&ovl_i_mutex_dir_key[depth]/1){+.+.}, at: [] do_unlinkat+0x201/0x5c0 fs/namei.c:4080 #2: (&ovl_i_mutex_key[depth]){+.+.}, at: [] inode_lock include/linux/fs.h:719 [inline] #2: (&ovl_i_mutex_key[depth]){+.+.}, at: [] vfs_unlink+0xc0/0x470 fs/namei.c:4020 #3: (sb_writers#3){.+.+}, at: [] sb_start_write include/linux/fs.h:1551 [inline] #3: (sb_writers#3){.+.+}, at: [] mnt_want_write+0x3a/0xb0 fs/namespace.c:386 #4: (&oi->lock){+.+.}, at: [] ovl_nlink_start+0x22f/0x460 fs/overlayfs/util.c:523 stack backtrace: CPU: 0 PID: 9516 Comm: syz-executor.4 Not tainted 4.14.302-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1905 [inline] check_prevs_add kernel/locking/lockdep.c:2022 [inline] validate_chain kernel/locking/lockdep.c:2464 [inline] __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 down_read+0x36/0x80 kernel/locking/rwsem.c:24 inode_lock_shared include/linux/fs.h:729 [inline] lookup_slow+0x129/0x400 fs/namei.c:1674 lookup_one_len_unlocked+0x3a0/0x410 fs/namei.c:2595 ovl_lower_positive+0x184/0x350 fs/overlayfs/namei.c:783 ovl_do_remove+0x12a/0xb90 fs/overlayfs/dir.c:772 vfs_unlink+0x230/0x470 fs/namei.c:4029 do_unlinkat+0x30c/0x5c0 fs/namei.c:4094 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 RIP: 0033:0x7fdf0e7a30a9 RSP: 002b:00007fdf0cd15168 EFLAGS: 00000246 ORIG_RAX: 0000000000000057 RAX: ffffffffffffffda RBX: 00007fdf0e8c2f80 RCX: 00007fdf0e7a30a9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000340 RBP: 00007fdf0e7feae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffd7e79861f R14: 00007fdf0cd15300 R15: 0000000000022000 serio: Serial port pts0 syz-executor.4 (9516) used greatest stack depth: 24104 bytes left netlink: 48 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 80 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 56 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 80 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 68 bytes leftover after parsing attributes in process `syz-executor.4'. IPv6: NLM_F_CREATE should be specified when creating new route syz-executor.3 uses obsolete (PF_INET,SOCK_PACKET) netlink: 88 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 60 bytes leftover after parsing attributes in process `syz-executor.1'. IPv6: NLM_F_CREATE should be specified when creating new route netlink: 80 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 64 bytes leftover after parsing attributes in process `syz-executor.3'. tc_ctl_action: received NO action attribs netlink: 48 bytes leftover after parsing attributes in process `syz-executor.1'. Unknown ioctl -2080336862 IPv6: NLM_F_CREATE should be specified when creating new route tc_ctl_action: received NO action attribs L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. ====================================================== WARNING: the mand mount option is being deprecated and will be removed in v5.15! ====================================================== EXT4-fs (loop3): mounted filesystem without journal. Opts: ,errors=continue EXT4-fs (loop5): mounted filesystem without journal. Opts: ,errors=continue Zero length message leads to an empty skb nla_parse: 36 callbacks suppressed netlink: 156 bytes leftover after parsing attributes in process `syz-executor.4'. x_tables: ip6_tables: TPROXY target: used from hooks FORWARD, but only usable from PREROUTING netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'. PF_BRIDGE: RTM_SETLINK with unknown ifindex netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'. tc_ctl_action: received NO action attribs netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'. batadv0: Invalid MTU 0 requested, hw min 68